Below is a list of extensive Audit Questions that some of our Clients have received from TransUnion.
The Answers listed below will be in Blue
1.0 Security Policy
Reseller shall maintain a documented set of rules and procedures
that regulate the use of information, including its receipt, transmission, processing,
storage, controls, distribution, retrieval, access and presentation. This includes the
laws, rules and practices that regulate how an organization manages, protect and
distributes confidential information.
1.1 Formal Security Policy
Reseller shall have an information security policy that is approved by Reseller’s senior management and is published and communicated to all Reseller employees. The security policy shall include:
(a) organizational security, (b) security asset management, (c) physical and environmental security, (d) security communication and connectivity change control, (e) data integrity, (f) incident response, (g) privacy, (h) back-up and off-site storage, (i) vulnerability monitoring, (j) information classification, (k) data handling policy, and (l) security configuration standards for network, operating systems, application and desktops.
Yes, there are policies and procedures for all of the above categories.
This is asking if the Reseller has Security Policies that are approved by management, published, and communicated. Though FRS is not explicitly required to, based on the question, FRS will attest that this is also true of the platform provider organization.
1.2 Security Policy Review
Reseller shall review the information security policy at planned intervals or if significant changes occur to ensure its continuing suitability, adequacy, and effectiveness.
FRS reviews the security policies annually.
1.3 Information Security Function
An established Information Security function shall be in place and include a named individual who is accountable for leading information security initiatives as well as a defined job responsibilities.
FRS has an Information Security Function including a named individual who is accountable for leading these initiatives.
1.4 Communication
Reseller shall communicate and socialize its information security policy to its employees. Employees must be trained to identify and report suspected security weaknesses and incidents. The methods used to communicate should include: training programs, internal communications, and internal portals. Education, awareness and cross-training program attendance reports must be maintained and made available to TransUnion upon TransUnion’s reasonable request.
FRS employees are required to take annual security awareness training as well as read through the security policies, procedures, and guidelines. A record of this is maintained in their personnel files.
2.0 Asset Management
Reseller shall have effective controls in place to protect Reseller’s assets. Reseller shall maintain an accurate inventory of critical assets, establish ownership and stewardship of all critical assets, and classify critical assets based on business impact, including privacy implications, labeling of critical assets that Trans Union LLC Confidential Information A-4
do not readily identify the owner and nature of information and handling standards for
introduction, transfer, removal and disposal of all assets based on asset classification.
2.1 Asset Inventory
Reseller shall maintain a documented inventory of critical hardware and critical software assets. The critical hardware asset document shall include, at a minimum, the asset control tag, physical location, asset owner, operating system, environment, and asset classification. The critical software asset document shall include, at a minimum, environment (e.g., development, test or production), software version, host name and location and software licenses. Reseller will perform a periodic asset recertification on all assets. Any asset addition or removal from the facility must be documented.
FRS maintains an accurate inventory of all assets, their location, use, owner, OS, configuration, age, and other specifics are bout the individual asset. This inventory is reviewed periodically for accuracy. All assets are maintained on a schedule to provide for appropriate disposition of the asset.
2.2 Equipment
Reseller shall have procedures for the disposal and reuse of its equipment. Reseller shall also have notification procedures in the event of any lost or misplaced assets, which shall include notification to TransUnion where TransUnion Services are on or in the lost or misplaced assets. Replacement or risk mitigation strategies shall be in place for operating systems, software applications and critical infrastructure nearing the end of life.
FRS has clear procedures for disposal and reuse of equipment. FRS has notification procedures for the event of any data breach, whether malicious or unintentional. These procedures indicate that affected parties must be notified in the event of any potential loss or disclosure of data. All systems are managed according to a life-cycle and replaced as they near end of life.
3.0 Physical and Environmental Security
Reseller shall have effective controls in place to protect against unauthorized physical penetration, damage from environmental contaminants and electronic penetration through active or passive electronic emissions.
3.1 Physical Controls
Reseller shall have documented Physical Security controls that include, but are not limited to:
3.1.1 Access Control Procedures that restrict physical access (e.g., badge access, turnstile entry doors, security guards). A record of all accesses shall be securely maintained for a minimum of ninety (90)-days and physical access must be periodically recertified.
3.1.2 Intrusion Detection Alarms at egress/ingress points and monitored when triggered
3.1.3 Monitoring Cameras to cover sensitive areas (e.g. areas where TransUnion Services are stored, processed or otherwise handled) in the facility
3.1.4 Monitoring Equipment (CCTV) feed to sensitive areas either watched internally or externally by a qualified team
3.1.5 Monitoring External Doors to Reseller’s Facility
3.1.6 Defined Alterting Procedures that include notification to qualified personnel
3.1.7 Training individuals with monitoring responsibility on their response to security events
3.1.8 A defined clean Desk/Clear Screen Policy
3.1.9 Indentification Procedures Requirement that all Personnel wear some form of visible identification to identify them as employees, contractors, visitors, et cetera.
3.1.10 Visitation Procedures that require that visitors to secure areas be supervised, or cleared via an appropriate background check for non-escorted access. Date and time of entry and departure shall be recorded and kept for a minimum of ninety (90)-days.
The FRS Data center complies with all of the requirements of section 3.1 above.
3.2 Environmental Controls
Reseller shall have documented Environmental Security Controls that include that server(s) and computer equipment must be located in an environmentally appropriate area with the following controls: (a) climate control (temperature and humidity), (b) system thermostat sensor, (c)raised floor, (d) smoke detector, (e) heat detector, (f) fluid or water sensors,(g) CCTV installation points, (h) fire suppression system, (i) Uninterruptable Power Supply (UPS), (j) power generators, and (k) fire extinguisher equipment. The controls shall be tested periodically.
The servers are housed at our Flexential data center with all of the required systems in place, (redundant temperature and humidity controls; raised floors; smoke, fire, heat and water detectors and sensors; video security monitoring (24/7); redundant power sources, redundant ISP’s, UPS’s and backup generators).
The data center has detailed maintenance programs which span all systems and components, including power, networking, and infrastructure, all in an effort to prevent failures and maintain the 100% uptime. The data center has regularly scheduled maintenance tasks for: buildings, switchgear, power distribution units, generators, UPS banks, fire protection systems and extinguishers, and CRAC units. The data center has best-in-class equipment, supported by around-the-clock monitoring.
4.0 Communications and Connectivity
Reseller shall implement robust controls over its communication network to safeguard TransUnion Services, tightly control access to network devices through management approval and subsequent audits, disable remote communication if no business need exists, log and monitor remote access, secure remote access devices and use strong authentication and encryption to secure communications.
FRS provides for all of its clients communication protection including 24/7 monitored and managed firewalls. These require regularly audited change control prior to any actions being performed on the devices. The firewalls incorporate an ending rule of deny all and are only opened for actions that are required for operations. The firewalls are designed to fail shut.
4.1 Network Identification
Reseller shall document and keep current a network diagram highlighting key internal network components, network boundary components and DMZ environment. A current data flow diagram must exist to identify the paths/environments where TransUnion Services are collected, accessed, processed and/or stored. All TransUnion Services shall be stored/maintained in a manner that allows for its return and/or secure destruction upon TransUnion’s request.
All systems and paths are defined on the network diagram and tracked based on their role in the processing of data. All TU data is stored/maintained in a secure environment to which no end users have direct logical or physical access.
4.2 Firewalls
A firewall management process shall be documented. Firewall changes shall be performed via a change management process. Access shall be limited to a small set of super users who have the appropriate approvals.
The development, test and production environments must be either firewalled or physically separate from one another. Vulnerability scans must be run periodically and critical vulnerabilities remediated within a defined and reasonable timeframe
Systems are protected using Firewalls, HIDS, and other security tools.
All systems and perimeter devices are continuously monitored, with events immediately mitigated
All systems are scanned for vulnerabilities weekly and managed for patch compliance
In addition to continuous perimeter event monitoring, (managed under a change control process), FRS monitors system and application level events. Events monitored include both system level (system, security, IIS, and application logs) and application level artifacts and events. FRS also has employed a SIEM to provide alerts for various higher profile events.
Development, test, and production environments are physically separate from one another and do not share any connectivity or information.
4.3 Network/Communications Security Policy
Reseller shall ensure that all firewall rules and router Access Control Lists (ACLs) are reviewed and approved by network administrators. IP addresses in the ACLs must be specific and anonymous connections must not be allowed. Ports and traffic paths not required for business purposes must be blocked. Periodic recertification and authorization of firewall rules must be performed.
FRS must approve any changes to the firewalls via the change control process and reviews the firewall configurations and IDS rules monthly. Rules are opened only for required business purposes and the default rule is deny all.
4.4 Remote Access Administration
Reseller shall ensure that unauthorized remote connections are disabled as part of the standard configuration. Data flow in the remote connection must be encrypted and multifactor authentication must be utilized. The remote connection setting must be set for no split tunneling. Moreover, to the extent Reseller (and not any third party engaged by Reseller to store, process or otherwise handle TransUnion Services) stores, processes or otherwise handles TransUnion Services within its own environment(s), then any Reseller remote session’s setting must prevent local storage and local printing of TransUnion Services by the remote device. For the avoidance of doubt, the restriction included in the foregoing sentence shall not apply to any third party engaged by Reseller for the purpose of storing, processing, or otherwise handling TransUnion Services.
Unauthorized remote connections are disabled by default policy with no split tunneling being utilized.
Remote administrative access to the production environment that houses website data is only available through a point to point VPN.
User access is as described above via RDP (role based and limited access) and HTTPS portal.
4.5 Mobile Computing
Reseller shall ensure that mobile computing (where permitted) is performed over encrypted channels and that Reseller seeks TransUnion’s prior approval before processing or storing any TransUnion Services on a mobile device. Wireless access to Reseller’s network must be configured to require authentication.
No sensitive customer data is retained on mobile devices.
4.6 Web Access
Web content filtering shall be in place to restrict external webmail, instant messaging, file sharing and other data leak vectors.
There is a web content and acceptable use policy in place that precludes external webmail, instant messaging, and file sharing from production devices.
5.0 Change Management
Reseller shall ensure that changes to the system, network, applications, and data file structures, other system components and physical/environmental changes are monitored and controlled through a formal change control process. Changes must be reviewed, approved and monitored during post-implementation to ensure the desired result is accurate.
All changes to production systems require change control, prior to implementation.
5.1 Change Policy and Procedure
The change policy must include (a) application changes, (b) operating system changes, (c) network infrastructure changes, (d) firewall changes, (e) clearly defined roles and responsibilities (including separation of duties), (f) impact or risk analysis of the change request, (g) testing prior to implementation, (h) security implications review, (i) authorization and approval, (j) post-installation validation, (k) back-out or recovery plans, (l) management sign-offs, (m) post-change review, and, (n) notification.
There is a change management strategy for all development, configuration and data storage procedures. The change management process defines roles, has deployment instructions, back-out instructions, pre-deployment testing, security review, approval, validation, and notification.
5.2 Emergency Fix
Emergency change procedures shall have stated roles/responsibilities for request and notification for key changes impacting services or that decreases the level of security protections. This must include post-change implementation validation and documentation updates.
Flaw remediation and is managed through the CWO, TESS (bug tracking), and issue management tools. FRS records security significant changes into the issue management tool prior to deployment. Other general patching of systems is tracked by our system administrator outside of any tool at this point
Software development and patching (both planned and emergency) is performed in adherence to the following steps:
1) Requirements Analysis,
2) Design, and Specifications,
3) Development
4) Code Review (peer),
5) Unit, Regression, Integration Testing,
6) QA,
7) Beta Testing / Client Acceptance Testing,
8) Documentation / Release Management
6.0 Operations
Reseller shall have documented Information Technology operations procedures to ensure correct and secure operations of its Information Technology assets.
6.1 Operational Procedures and Responsibilities
Reseller shall have documented operational procedures that include: (a) scheduling requirements, (b) error handling, (c) generating and handling special output, (d) maintenance and troubleshooting of systems, (e) procedures to manage SLAs/KPIs and (f) the reporting structure for escalations.
6.2 Problem Management
Reseller shall have a documented problem management procedure that includes: (a) identification, (b) assignment of severity to each problem, (c) communication, (d) resolution, (e) training (if required), (f) testing/validation and (g) reporting.
This speaks to both the Reseller activities as well as the platform provider. FRS can attest that they have procedures for this class of controls.
7.0 Logical Access
Reseller shall (a) ensure authentication and authorization controls are appropriately robust for the risk of the data, application and platform, (b) monitor access rights to ensure they are the minimum required for the current business needs of the users, (c) log access and security events and (d) use software that enables rapid analysis of user activities.
7.1 Logical Access Control Policy
Reseller shall have a documented logical access control policy that includes: (a) the request, approval and access provisioning process (for applications, databases, and remote users), (b) that user access (local or remote) must be based on job function (role/profile based, least privilege), (c) that user access recertification must be performed periodically, (d) the procedures for onboarding and offboarding users, and (e) the procedures for user inactivity threshold leading to account suspension and removal. National identifiers or Social Security Numbers must not be utilized as user IDs for logon to applications.
This is a shared responsibility. FRS has access control policy in place for our users and for the management of the Reseller systems.
7.2 Privileged Access
Reseller shall have a documented process for the management of privileged user accounts that includes: (a) that the creation and access of privileged accounts are limited to a pre-authorized set of users, (b) that a review/governance process is maintained, and, (c) usage of privileged accounts are controlled through strong access mechanisms.
This is a shared responsibility. FRS has access control processes in place for our users and for the management of the Reseller systems. The system provides mechanisms for the Reseller to execute these controls for their users of the platform.
8.0 Data Integrity
8.1 Data Transmission Controls
Reseller shall have a documented Data Transmission Control procedure that includes: (a) checked sums and counts that are employed to validate that the TransUnion Services transmitted are the same as that received, (b) procedures for records sent through a third party carrier, (c) return receipt controls, and, (d) that digital certificates are utilized to ensure data integrity during transmission.
All data is transmitted using AES 256 encryption over SSL connections.
8.2 Data Transaction Controls
Reseller shall have documented controls to prevent or identify duplicate transactions in financial messages.
Under FCRA, each reseller must validate all records for completeness and accuracy prior to releasing them to end users.
9.0 Encryption
TransUnion Services (including authentication credentials) shall be encrypted while in transit over any public shared network and non-wired network. Key management procedures shall be employed that ensure the confidentiality, integrity and availability of cryptographic key material. Use of encryption products shall comply with local restrictions and regulations on the use of encryption in a relevant jurisdiction.
Yes, calls for TransUnion reports are sent through Encrypted SSL connections using AES 256 at this time.
9.1 Encryption Policy
Reseller shall have a documented data security policy that dictates encryption technical architecture and use, and the encryption method and strength used to protect TransUnion Services must be defined. Acceptable encryption algorithms include 3DES and AES.
Yes.
9.2 Encryption Key Management
Reseller shall have a documented Cryptographic Key Management procedure that includes key rotation, and access to encryption keys must be restricted to named administrators.
Encryption keys shall be protected in storage. Whenever it is permitted by technology, data-encrypting keys shall not be stored on the same systems that perform encryption/decryption operations.
All keys are managed external to the system of use.
9.3 Encryption Uses
TransUnion Services shall be encrypted while in transit over any public shared network and non-wired network. Approved and dedicated staff must be responsible for encrypting/decrypting the data (if manual), laptops and other mobile devices must be encrypted, removable storage devices must be encrypted, VPN transmissions must be over an encrypted tunnel, and encryption automation details of storage and transmission between Reseller and TransUnion must be documented.
System access is available in two ways:
– Either through a restricted RDP session into the server that houses the FRS application, wherein the user accesses the data directly on the server or
– Through a web interface that employs HTTPS protocols for secure transmission of information. Note: this is only available for lower level access and provides restricted access to the system. This is implemented with AES-256 encryption.
Data is encrypted in transit with AES-256 encryption.
10.0 Website
Reseller shall establish controls to protect any TransUnion Services gathered via a website application hosted, developed or supported by Reseller.
10.1 Website Configuration
Reseller’s website configuration shall include: (a)multi-tiered security architecture that separates the web presentation, (b)business logic and data tier into distinct network security zones, (c) website design must force removal of cached data as part of the process upon session termination, (d) web server hardening-configurations relating to cookies must protect them from disclosure, (e) that where risk assessments or external requirements indicate the use of single-factor authentication is inadequate, the resource must implement multi-factor authentication (“MFA”). MFA requires the user to provide authentication credentials from a minimum of two different factors for authentication and must meet the criteria for strong multi-factor authentication, (f) that network-level restriction (whitelisting) must be in place to secure TransUnion Services, (g) that passwords/PINs must be entered in non-display fields, (h) that periodic penetration testing must be performed against the website, (i) that tools/solutions must be in place to monitor website uptime and (j) that restrictions must be placed on web server resources to limit denial of service (DOS) attacks.
All systems operate under a multi-tiered environment with presentation logic separated from the data layer. All systems clear cache upon completion of a function. Web servers do not allow the transmission or disclosure of any sensitive information through cookies.
The current system does not support MFA. MFA is slated for the next release of the platform due for delivery in late 2017.
Only whitelisted servers may talk to internal systems containing all parts of the TU information. All passwords are masked as they are being entered. The platform provider performs periodic external scans against all internet facing systems. All websites are continuously monitored for uptime/performance. FRS employs DOS protection for all web services.
11.0 System Development
11.1 SLDC Requirements
11.1.1 Version control and release management procedures.
Yes.
11.1.2 Security activities that foster development of secure software (e.g. Requirements in requirements phase, secure architecture design, static code analysis during development and dynamic scanning or penetration test of code during QA phase with High and above vulnerabilities remediated before moving to the next phase).
Yes.
11.1.3 Software security testing shall occur based on the Open Web Application Security Project (OWASP) Top 10 and Sys Admin, Audit, Networking, and Security Institute (SANS) Top 25 software security risks or comparable replacement and should include: (a) cross site scripting (XSS), (b) injection flaws, (c) malicious file execution, (d) insecure direct object, (e) reference cross site request forgery (CSRF), (f) information leakage and improper error handling, broken authentication and session management, (g) insecure cryptographic storage, (h) insecure communication, and (i) failure to restrict URL access.
All new development on the FRS system follows OWASP framework for ensuring secure handling of client data.
11.1.4 SDLC methodology shall: (a) include validation of security requirements (e.g., IS sign-offs, periodic IS reviews, static/dynamic scanning); (b) include requirements for documentation; and (c) be managed by appropriate access controls.
Yes.
11.1.5 Where assessments are required, artifacts shall be provided that evidence completion of application testing. Code certification shall be performed to include security review when developed by third parties. Software executables related to client/server architecture that is involved in handling TransUnion Services shall be penetration tested.
All third-party elements used are vetted for security requirements. Penetration testing is performed at client expense upon request and coordination with FRS.
11.1.6 Third Party and Open Source Code used in Reseller-provided applications shall be appropriately licensed, inventoried, and supported, and patches shall be applied timely and evaluated for security defects on an on-going basis. Software vulnerability assessments shall be conducted on an on-going basis internally or using external experts and any gaps identified shall be remediated in a timely manner. If TransUnion Service are used in a test environment, the level of controls must be consistent with production controls. Production data must be sanitized before used in nonproduction environments and developer access to production environments must be restricted by policy and in implementation.
Yes.
12.0 Incident Response
Reseller shall have a documented plan and associated procedures in case of an information security incident. The plan shall clearly articulate the responsibilities of personnel and identify relevant notification parties. Incident response personnel must be trained and the plan must be tested periodically.
12.1 Incident Response Process
The Incident Response policy and procedure shall be documented and include the following: (a) defined organizational structure, (b) identified response team, (c) documented availability of the response team, and (d) documented timelines for incident detection and disclosure.
Yes.
12.1.1 The Incident Response process lifecycle shall include the following steps (i) identification, (ii) assignment of severity to each incident, (iii) communication, (iv) resolution, (v) training, (vi) testing, and, (vii) reporting.
Yes.
12.1.2 Incidents shall be classified and prioritized and incident response procedures must include notification to TransUnion.
12.1.3 The incident response process must be executed as soon as Reseller is aware of the incident, irrespective of time of day.
FRS has a CSIRM (Cyber Security Incident Response Manual) that includes procedures related to intrusions, data breaches, the management of the event, communication, and root cause analysis.
The CSIRM includes procedures for notifying appropriate personnel in the event of any identified security incident. At this time, the notification would be to our client, who would then engage directly with their clients and other contracted partners
13.0 Back-up and Off-site Storage
The requirements set forth in this Section 13 shall apply solely to the extent Reseller maintains Back-up capabilities or utilizes off-site storage. In no event shall the requirements in this Section 13 be deemed to require Reseller to maintain such capabilities or utilize off-site storage. Reseller shall have a defined back-up policy and associated procedures for performing back-up of TransUnion Services in a scheduled and timely manner. Effective controls shall be established for performing back-up of TransUnion Services in a scheduled and timely manner.
13.1 Back-up Process
Back-up and off-site storage procedures shall be documented. Procedures shall encompass the ability to fully restore applications and operating systems. Periodic testing of successful restoration from back-up media must be demonstrated and the on-site staging area must have documented and demonstrated environmental controls.
Yes. Currently, Backups are performed on a bare metal level and those backups are stored on site only at the secure data center. Backups occur multiple times each day and are stored separately from originating systems. The backups are performed on OS and system data and are validated periodically.
13.2 Back-up Media Destructions
Procedures shall be defined to instruct Personnel on the proper methods for back-up media destruction. Back-up media destroyed by a third party must have documented procedures for destruction confirmation (e.g., certificate of destruction). Evidence of off-site media destruction shall be obtained.
System and backup hard drives are wiped using DOD and NIST standards when taken out of production.
13.3 Off-site Storage
A physical security plan and policies for the off-site facility shall be documented. Access controls shall be enforced at entry points and storage rooms. Access to the off-site facility shall be restricted and an approval process shall be in place to obtain access. Electronic transmissions of TransUnion Services to off-site locations shall be encrypted. Back-up storage devices shall be encrypted and secure transportation of media to and from off-site locations shall be defined.
There is no offsite-storage of backups. All backups are stored securely onsite in the datacenter we utilize.
14.0 E-mail and IM
Reseller shall have policies and procedures established and adhered to that ensure proper control of an electronic mail and/or instant messaging (“IM”) system that displays and/or contains TransUnion Services.
14.1 Authorized E-mail Systems
Access to non-corporate/personal e-mail solutions shall be restricted based on policy. Preventive controls shall be in place to prevent TransUnion Services from being sent externally through email without encryption. Preventive and detective controls must block malicious e-mails/attachments. Policy shall prohibit auto-forwarding of emails. E-mails with TransUnion Services or which contains personally identifiable information shall be encrypted if leaving the Reseller network. The encryption mechanism may be automated (e.g., Transport Layer Security) or manual (e.g., WINZIP).
There are no mail clients on production systems. All messaging is handled from within the system is set to be encrypted by default if it contains PII.
14.2 Authorized IM Systems
Access to external IM shall be prohibited from Reseller’s network based on policy. If internal IM is used, specific policies shall restrict the transmission of TransUnion Services over internal IM.
There are no IM clients or services permitted on production systems. All messaging is handled from within the system is set to be encrypted by default if it contains PII.
15.0 Media and Vital Records
Reseller shall establish and ensure compliance with policies for the secure handling and storing data. Reseller shall ensure safe, secure disposal of media and secure media in transit or transmission to and from Reseller.
15.1 Handling and Storage
Electronic or paper records movement procedures shall be documented and shall include safe storage and the secure transportation from source to destination, including transit stops.
15.2 Paper Record Control
Paper records containing TransUnion Services shall be stored in secure bins. Access to bins shall be limited to select staff only. Access recertification shall be performed periodically. Retention procedures for all paper records shall be no less than that required by industry standards. Document destruction or shredding shall be performed in a secure manner in accordance with the requirements of the Agreement. If a third party is used
for secure shredding/destruction, a services contract with confidentiality and security terms shall be in place and documented as a third party relationship.
15.3 Transportation Logistics
The Reseller utilized for transportation of media shall be licensed and bonded. Controls shall be in place to safeguard media/vital records during transportation. Emergency procedures shall be documented and if any media/vital record is lost or unrecoverable during transport, then the incident shall be reported.
15.0 – 15.3 are the Resellers Responsibility
16.0 Standard Builds
Reseller’s information systems shall be deployed with appropriate security configurations and reviewed periodically to ensure compliance with Reseller’s security policies and standards.
16.1 Server Configuration Availability
Reseller shall maintain standard security configuration documentation related to Reseller’s performance under the Agreement. Security hardening shall be documented. Procedures shall include: (a) security patches, (b) vulnerability management, (c) default passwords, (d) registry settings, (e) file directory rights and (f) permissions.
Yes
16.2 System Patches
Security patch processes and procedures shall be documented and include requirements for timely patch application.
Yes
16.3 Operating System
Reseller shall have documented operating system versions implemented for environments associated with Reseller’s performance under the Agreement. A minimum security baseline shall be established for the operating systems and versions. Multiple simultaneous logins to the environment shall not be allowed for any single administrator. Procedures for authorizing and tracking administrator passwords shall be documented. Administrator passwords shall be configured to expire frequently commensurate with the impact of their unauthorized use. Unsupported operating systems must not be used.
Yes
16.4 Desktop Controls
Users shall not be permitted to be local administrators to their workstations. Key desktop security settings (e.g., screen saver, antivirus) must be unalterable users. Policy shall include language preventing personnel from storing any information that is classified as “TransUnion Services” on their desktops. Reseller shall not allow the users the ability to write or save from their desktop to a device (e.g. CD, DVD, USB). When writing is permitted, this shall be done on an exception basis and the business justification documented.
No FRS company user may transfer or store any sensitive information from the production environment to their local computer. Clients that access the systems must only handle data required to perform their duties and this is done through the secure web portal or on the remote desktop.
17.0 Vulnerability Monitoring
Reseller’s information systems shall be deployed with appropriate security configurations and reviewed periodically to ensure compliance with Reseller’s security policies and standards.
17.1 Vulnerability Policy and Procedure
Penetration/vulnerability testing shall be performed against internal/external networks and/or specific hosts. The tests must be performed by a reputable external organization. Environments containing TransUnion Services must be covered as part of the scope of the tests. Issues rated as critical or high risk must be remediated within the appropriate timelines that have been communicated to TransUnion, and Reseller shall notify TransUnion of any critical/high vulnerabilities that will not be remediated within those timeframes.
All systems are scanned weekly for vulnerabilities and discovered issues are remediated in a timely fashion.
17.2 Anti-Virus and Malicious Code
Servers, workstations and internet gateway devices shall be updated periodically with the latest anti-virus definitions. Defined procedures shall highlight anti-virus updates. Anti-virus tools shall be configured to run weekly scans, virus detection, real- time file write activity and signature file updates. Laptops and remote users shall be covered under virus protection. Reseller shall have procedures documented and in place to detect and remove any unauthorized or unsupported applications.
Yes
17.3 Intrusion Detection Administration
Intrusion detection tools must be running on servers where TransUnion Services are stored, processed or accessed. Intrusion detection tools shall perform real-time scanning and signatures shall be updated in a timely manner. Automated alerting must be defined to appropriate individuals as part of the intrusion detection systems. Alert events shall include: (a) unique identifier, (b) date, (c) time, (d) priority level identifier, e) source IP address, (f) destination IP address, (g) event description, (h) notification sent to the security team and (i) event status.
All systems in the production environment are protected via a managed HIDS. This includes real-time scanning as well as regularly updated signatures. All alert events are provided to FRS management and include the relevant information as indicated above. More critical events also include 24/7 phone calls to management for remediation.
17.4 Security Event Monitoring
Security events shall be logged (in log files), monitored (by appropriate individuals), addressed and resolved in a timely manner. Actions must be taken to resolve security events and such actions shall be documented. Network components, workstations, applications and any monitoring tools shall be enabled to monitor user activity. Organizational responsibility for responding to events shall be defined. Configuration checking tools or other logs shall be utilized that record critical system configuration changes. The log permission must restrict alteration by administrators or any user. A retention schedule for various logs shall be defined and adhered to. IDS effectiveness shall be tested periodically.
All systems in the production environment are protected via a managed HIDS. This includes real-time scanning as well as regularly updated signatures. All alert events are provided to FRS management and include the relevant information as indicated above. Higher criticality events also include 24/7 phone calls to management for remediation.
17.5 Reporting
Reseller shall report any Critical Vulnerability that could reasonably be expected to impact the security of TransUnion Services within twenty-four (24) hours of Reseller’s discovery and/or receipt of notice of such Critical Vulnerability. In addition, Reseller shall actively monitor industry resources (e.g., www.cert.org, pertinent software vendor mailing lists and websites and information from subscriptions to automated notification services) for applicable security alerts and, within twenty-four (24) hours of its discovery, notify TransUnion of a “zero-day” Critical Vulnerability in Reseller’s external facing or internal environments (each, a “Critical Vulnerability”). Such notice shall include the perceived impact and a written and detailed plan to appropriately and urgently remediate such Critical Vulnerability. Reseller shall also provide written confirmation as soon as each such Critical Vulnerability has been remediated.
FRS notifies relevant parties of any system impacting vulnerabilities, security alerts, data breaches, or other critical events according to policy.
17.6 Remediation
If Critical Vulnerabilities are identified, Reseller shall promptly document and implement a mutually agreed upon remediation plan, and upon TransUnion’s request, provide TransUnion with the status of the implementation. If High Risk Vulnerabilities are identified (i.e. vulnerabilities for which there is a reasonable expectation that exploit code will be available in the near future or is under development which will affect the confidentiality, integrity, or availability of the system and data, which such High Risk Vulnerabilities are defined and recorded at the National Vulnerability Database (https://nvd.nist.gov/home.cfm)) and not remediated, Reseller shall promptly provide TransUnion with a detailed mitigation process to reduce the risk to Reseller’s environments and systems that include TransUnion Services
All systems and perimeter devices are continuously monitored, with events immediately mitigated
All systems are scanned for vulnerabilities weekly and managed for patch compliance.
In addition to continuous perimeter event monitoring, FRS monitors system and application level events. Events monitored include both system level (system, security, IIS, and application logs) and application level artifacts and events. FRS also has employed a SIEM to provide alerts for various higher profile events
18.0 Cloud Technology
Reseller shall adequately safeguard TransUnion Services that are stored, processed or transmitted using Cloud Technology. “Cloud Technology” is defined as any externally hosted technology offering for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction.
18.1 Minimum Control Requirements
All of the requirements in this TransUnion Information Security Requirements Exhibit apply to any use of Cloud Technology to store, process or transmit TransUnion Services.
18.2 Pre-Approval and Specific Requirements
Reseller shall inform TransUnion of, and obtain TransUnion’s written approval of, Cloud Technology before it is used to store, process or transmit TransUnion Services. Reseller shall have the following specific requirements in place for Cloud Technology: (a) physical restrictions must be in place to limit access to privileged user self-service functionality; (b) Reseller’s Personnel with responsibilities for implementing or managing Reseller’s use of Cloud Technology must be formally trained in the secure implementation and use of those services; (c) where technically feasible, web proxy (URL) filtering of Cloud Technology must be in place, with unapproved access to cloud technology blocked by default; (d) where material changes are planned to the approved use of an external Cloud Technology
that stores, processes or transmits TransUnion Services, TransUnion must approve the proposed changes before they are executed; and (e) when disengagement of a Cloud Technology service provider occurs, TransUnion Services must be securely destroyed in accordance with the requirements of the Agreement and this TransUnion Information Security Requirements
Exhibit.
N/A
19.0 Vulnerability Scans
Reseller shall engage a nationally recognized, industry leading third party of Reseller’s choosing to conduct Critical Vulnerability scans of Reseller’s external-facing and internal environments. Reseller shall provide industry standard reviews and assessment it has performed by its professional external auditors, including results of the vulnerability scans, to TransUnion upon request.
Internal Scans are done with Rapid 7 Nexpose. External scans are performed periodically and can be performed upon request.
20.0 PCI
If Reseller stores, processes or transmits payment card primary account numbers or cardholder data, then Reseller shall comply with the current PCI standard.
Credit card transactions are handled through Authorize.net and Credit card information is not kept on our systems.
21.0 SSAE
At least annually, Reseller will engage a qualified independent third party to: (i) perform a review or assessment of all key systems and operational controls used in connection with any TransUnion Services under (A) SSAE 16 SOC 2, (B) PCI, (C) HIPAA, (D) HITRUST, (E) NIST 800-53 or 890-171, (F) FISMA, (G) ISO27001, (H) ISAE 3402 (International Standards on Assurance Engagements No. 3402) Type II, (I) BITS Financial Institution Shared Assessment Program (Standardized Information Gathering plus Agreed Upon Procedures), (F) SysTrust review (in accordance with principles and criteria developed by the American Institute of Certified Public Accountants), or (G) another industry standard reasonably acceptable to TransUnion, and upon request, provide the report(s) to TransUnion for review; and (ii) conduct an independent network and application penetration test. Without limitation of TransUnion’s other rights and remedies under the Agreement, Reseller shall (a) remediate all Critical Vulnerabilities identified in such reviews/tests and shall consider in good faith the implementation of any other reasonable recommendations made by TransUnion; (b) upon TransUnion’s request, provide TransUnion with the status of the remediation and implementation; and (c) with respect to any High Risk Vulnerabilities that are identified and not remediated, promptly provide TransUnion with a detailed mitigation process (including a description of the relevant compensating controls) to reduce the risk to Reseller’s environments and systems that include TransUnion Services.
The datacenter FRS utilizes is SOC2-compliant. As part of the process of passing the SOC-2 audit, this datacenter exhibited plans for vulnerability remediation. Vulnerability scans, security monitoring, and risk assessment studies were performed to be in compliance with SOC2.
22.0 System Modification
Before Reseller may modify its systems containing TransUnion Services in a way that could reasonably have an adverse impact the security of its systems, Reseller shall send a thirty (30)-day advance written notice to TransUnion containing a reasonably detailed description of the proposed modification and a representation and warranty that: (a) the proposed modifications will not pose any new or additional risks to any TransUnion Services; and (b) Reseller’s systems will continue to comply with the terms of the Agreement and this TransUnion Information Security Requirements Exhibit.
FRS will notify Reseller of any adversely impacting changes to the system. The reseller has the responsibility to their data providers to provide appropriate notice.
23.0 Additional Reports
In addition to any other reporting requirements set forth in this TransUnion Information Security Requirements Exhibit or the Agreement, Reseller shall provide the following written periodic reports to TransUnion, upon TransUnion’s request (but not more than once per calendar quarter):
23.1 Summary system and network security incident reporting and access violation reporting, and summary of any Reseller remediation or action plans, in each case to the extent such incident or violation required notification to TransUnion hereunder;
23.2 Summary of incidents and breaches as to which Reseller was required to inform TransUnion per the terms of the Agreement and this TransUnion Information Security Requirements Exhibit, and summary of any Reseller remediation or action plans; and,
23.3 The status of any existing remediation or action plans related to any previously reported incident.
